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A security analysis of a recently proposed secure communication scheme based on the phase 
synchronization of chaotic systems is presented. It is shown that the system parameters directly 
determine the ciphertext waveform, hence it can be readily broken by parameter estimation of the 
ciphertext signal. 
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Most secure chaotic communication systems are based 
on complete synchronization (CS), whereas a new cryp- 
tosystem has been proposed based on phase synchroniza- 
tion (PS). This scheme hides binary messages in the in- 
stantaneous phase of the drive subsystem used as the 
transmitting signal to drive the response subsystem. Al- 
though it is claimed to be secure against some traditional 
attacks in the chaotic cryptosystems literature, includ- 
ing the parameter estimation attack, we show that it is 
breakable by this attack. As a conclusion, the system is 
not secure and should not be used for communications 
where security is a strict requirement. 



I. INTRODUCTION 



In recent years, a great number of cryptosystems based 
on chaos have been proposed P, Q , most of them fun- 
damentally flawed by a lack of robustness and security 

In [H, a secure 

communication scheme based on the phase synchroniza- 
tion of a chaotic system is proposed. 

In this new scheme the plaintext binary message h is 
hidden in the instantaneous phase of the drive subsystem 
used as transmitting signal to drive the response subsys- 
tem. At the response subsystem, the phase difference is 
detected and its strong fluctuation above or below zero 
recovers the plaintext at certain coupling strength. 

The secure communication process is illustrated by 
means of an example based on coupled Rossler chaotic 
oscillators. In the example, the drive subsystem is formed 
by two weak coupled oscillators. The plaintext is used to 
modulate the same parameter in both oscillators 1 and 
2. The equations of the drive subsystem are: 
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FIG. 1: Plaintext recovery with the authorized receiver. Time 
histories of: (a) plaintext b] (b) ciphertext 0^; (c) recon- 
structed phase signal of the response subsystem 03 ; (e) dif- 
ference between the ciphertext and the reconstructed signal 
0m ~ 03 5 (f) reconstructed plaintext b' . 
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yi,2 = + Acj)xi,2 + Q^yi,2, 
Zl,2 = + ^1,2(^1,2 - 7)- 

The response subsystem is governed by: 
Z3 = p^zsixs -7)- 



In the example, the parameter values are: co 
£ = 5 X 10"^, T] 5.3, and a = = 0.15 . 
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FIG. 2: Ciphertext phase signal 0^ as function of a: (a) 
a = 0.01, the phase increases almost linearly; (b) a = 0.15, 
the phase increases monotonically with chaotic behavior; (c) 
a = 0.25, the phase increases and decreases irregularly. 



The parameters f3 and 7 are held as constants, with 
the values = {0.2, 10}. 

The parameter co corresponds to the natural frequency 
of the Rossler oscillator drive subsystems 1 and 2. The 
parameter uj' corresponds to the natural frequency of 
the Rossler oscillator driven subsystem 3, e corresponds 
to the weak coupling factor between the oscillators 1 and 
2, and r] corresponds to the strong coupling factor in the 
driven oscillator 3. 

The parameter mismatch Aco is modulated by the 
plaintext, being Acj = 0.01 if the bit to be transmit- 
ted is "1" and Aco = —0.01 if the bit to be transmitted 
is "0". 

The ciphertext consists of the phase of the mean field 
of the drive oscillators: 

Xi^X2 

(pm = arctan . 

As the phase is a signal that has an unbounded ampli- 
tude it can not be transmitted through physical channels. 
This problem is overcome by coding the signal from tt to 
— TT, which corresponds to the Poincare surface of the 
atractor, yi^2 =0. As a consequence, the transmitted 
ciphertext, marked as is a sawtooth-like signal with 
a period equal to the revolution period of the oscillator. 

At the receiving end the phase of the response subsys- 
tem is: 

= arctan — 

ys 

that is also coded from tt to — tt as ^3. 

The plaintext is retrieved by calculating the differ- 
ence between the ciphertext and the reconstructed sig- 
nal, — The difference signal consisted of positive 
and negative peaks that correspond to the ones and zeros 
of the plaintext. 

The example of is illustrated in Fig. C] We have 
simulated it with a four order Runge-Kutta integration 
algorithm in MATLAB 6, with a step size of 0.001. In 
order to recover the plaintext with the exact waveform, 
allowing for a small time delay, we have included a Smith- 
trigger as a reconstruction filter, with switch on point at 
4 and switch off point at -4. 




1 2 3 4 5 rads/sec 



FIG. 3: Power spectral analysis of the ciphertext signal. The 
highest peak corresponds to the frequency of u and lies at 

As in the example of there is no indica- 

tion about the parameter initial values, our sim- 
ulation is implemented with the following initial 
values: {xf^ , , xf^ , y[^^ , y^^^ , y^^^ , z[^^ , z^^^ , ) = 
(-5,-3,-1,0,0,0,0,0,0). 

The authors seemed to base the security of its secure 
communication system on the properties of the phase 
synchronization. They claimed that it can not be broken 
by some traditional attacks used against secure chaotic 
systems with complete synchronization, but no general 
analysis of security was included. 

Although the authors point out that the system pa- 
rameters play the role of secret key in transmission [l^ 
§V], it is not clearly specified which parameters are con- 
sidered as candidates to form part of the key, what the 
allowable value range of those parameters is, what the 
key space is (how many different keys exist in the sys- 
tem) and how they would be managed. 

The weaknesses of this system and the method to break 
it are discussed in the next section. 



II. BREAKING THE SYSTEM 

The main problem with this cryptosystem lies on the 
fact that the ciphertext is an analog signal, whose wave- 
form depends on the system parameter values. Likewise, 
the difference between the ciphertext and the phase sig- 
nal of a non synchronized receiver c/)^ — ^3, depends on 
these same parameters. The study of these signals pro- 
vides the necessary information to recover a good esti- 
mation of the system parameter values and the correct 
plaintext, as will be seen next. 

Let us assume that the key consists of the oscillator's 
parameters a and cj, as they are the only unknowns in the 
example of 15]. Moreover the parameters /3 and 7, that 
were constants in the example, can not be part of the key 
because, according to our experiments, the synchroniza- 
tion of the Rossler oscillator is indifferent to a mismatch 
of the value of these parameters in a range greater than 
1 to 1000. 

The search space of a may be restricted to the unique 
suitable value range for operation, characterized by the 
mild chaotic region of the Rossler oscillator, in which 
its phase increases monotonically with time, showing a 
chaotic increase rate, that allows hiding the binary in- 
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FIG. 4: Determination of the best value of ix)': (a) ciphertext 
signal with frequency uo = 1.00; (b) phase signal of the free 
running intruder receiver for uj' — 1.03; (c) output of the 
phase comparator 0^ — for ijj' — 1.03; (d) phase signal of 
the free running intruder receiver 03 for uo' = 1.015; (e) output 
of the phase comparator 0^ — 03 for uo' = 1.015; (f) phase 
signal of the free running intruder receiver 03 for uo' = 1.005; 
(g) output of the phase comparator 0^ — 03 for uj' = 1.005. 



formation. This region is roughly characterized by the 
following values of a: 



0.03 <a< 0.18 



(3) 



The operation of the system with lower values of a 
should be avoided because the waveform of the oscillator 
is quite uniform and its phase increases almost linearly 
with time. Therefore, the instantaneous phase fluctua- 
tions, due to the binary information modulation, can not 
be effectively hidden, and thus the information could be 
easily retrieved from the signal. 

Higher values of a should be also avoided because the 
Rossler oscillator operates in the wild chaotic region, in 
which the phase does not increases monotonically with 
time, showing erratic increases and decreases, rendering 
impossible the synchronization of the authorized receiver, 
thus preventing the correct data retrieving. 

The behavior of the attractor with respect to a is illus- 
trated in Fig. 121 in which the time history of the cipher- 
text signal 0^ for three values of a is shown. The first 
sample corresponds to a = 0.01, showing that the phase 
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FIG. 5: Determination of the best value of a^, with u' — 
1.005: (a) original plaintext, 6; (b) output of the phase com- 
parator 0^ — 03 for a ' — {0.05, 0.09, 0.13}, which is the same 
in three cases; (c) output of the phase comparator 0^ — 03 
for = 0.17; (d) recovered plaintext b' for = 0.17. 



increases almost linearly. The second one corresponds 
to a = 0.15, showing that the phase increases monotoni- 
cally with chaotic behavior. The last sample corresponds 
to a = 0.25, showing that the phase increases and de- 
creases irregularly. 

The sensitivity to the parameter values is so low that 
the original plaintext can be recovered from the cipher- 
text using an intruder receiver system with parameter 
values considerably different from the ones used by the 
transmitter (15, Fig. 7]). 

We have found that the plaintext b' can be recov- 
ered even when a' has an absolute error of ±0.2. As 
a consequence, it is sufficient to try four values of a', 
to cover its full usable range. The best set of values is: 
a' = {0.05,0.09,0.13,0.17}. 

In Fig. [31 we show the power spectral analysis of the 
ciphertext signal. As can be observed, the frequency of 
the Rossler oscillator is totally evident. The spectrum's 
highest peak appears at ' o:^ 1.03, close to the parameter 
value of the drive subsystem 00 = 1. Thus, by simply 
examining the ciphertext, the second key element uj ' is 
guessed with reasonable accuracy. 

Let ix) ' be the approximate value of uo. Once it is mea- 
sured we can use it to recover the plaintext in the follow- 
ing way. 

First, we introduce the estimated value of uo' into an 
intruder receiver with 7^ = 0, that is without coupling, so 
the intruder receiver oscillator will be running freely. To 
check whether the estimation oi uo' is good, we look at 
the output of the phase comparator 0^ — 03 as well as at 
the ciphertext signal 0^ and at the phase signal of the 
receiver 03 . 

When the frequencies of transmitter and intruder re- 
ceiver are slightly different, then 0^ — 03 will look like 
a train of pulses of increasing width summed with a di- 
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FIG. 6: Range of uo' and a' values that that achieve correct 
plaintext recovery of a ciphertext generated with {uo^a} — 
{1.00,0.15}. 



rect current of increasing level; being the final width and 
direct current increasing level rate proportional to the 
difference of frequencies uo' — ij. Also, the mismatch of 
the periods of the phase signals (/)^ and is perceptible. 
With this information we can adjust the value oi uj' in 
a few steps, until the width of the pulses tends to zero. 
Then, the period mismatch of the phase signals and 
03 is unnoticeable and its direct current level equals zero. 

The procedure is illustrated in Fig. 01 We begin with 
uo' = 1.03, the value estimated from the spectrum, and 
we see that the correct value of co ' must be slightly lower, 
thus we try uo' = 1.015 and we see that we are near 
the exact value but still a little bit high. Next we try 
uo ' = 1.005, and we see that the frequency match is quite 
good. We retain this last value of cc; ' as the definite one 
and go to the next step. 

Finally, we set 77 = 5.3 at the intruder receiver and 
look at the retrieved data b ' for the previously obtained 



(jj ' an for each of the four possible values of a ^ In Fig. [51 
the retrieved binary data h' obtained with uj' = 1.005 
and a' = {0.05,0.09,0.13,0.17} are presented. It can be 
seen that for a' = {0.05, 0.09, 0.13} only cero value data 
are obtained and for a' = 0.17 some output data are 
present, thus we may assume that the value of a ' = 0.17 
can be retained as the appropriate one to retrieve the 
plaintext b ' and that the data obtained with it consist of 
the correct recovered plaintext, as can be verified from 
the figure. 

Although the estimated pair of values {cc;',a'} = 
{1.005,0.17} are far from the right ones, the plaintext 
is correctly recovered as a consequence of the system's 
low sensitivity to parameters. 

Moreover, we have observed that many other combi- 
nations of parameter values allow for the recovery of the 
correct plaintext as well. In Fig. jSl we show after many 
simulations the region of {cj a '} values in which correct 
plaintext recovery of a ciphertext generated with a drive 
subsystem with {uj^ol] — {1.00,0.15} is achieved. 
III. CONCLUSION 

The proposed cryptosystem is rather weak, since it can 
be broken by measuring the power spectrum of the ci- 
phertext signal and trying a small set of parameter val- 
ues. There is no detailed description about what the key 
is, nor what the key space is, a fundamental aspect in ev- 
ery secure communication system. The lack of security 
discourages the use of this algorithm for secure applica- 
tions. 
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